Applying ACL to vty in IOS-XR

Unanswered Question
May 12th, 2011


I am trying to apply acl:s to vty on a ASR9k router.

I am doing the following, and this works...

ipv4 access-list VTY-ACL
 10 permit ipv4 any
 20 deny   ipv4 any any log
ipv6 access-list VTY-ACL
 10 permit ipv6 2001:DB8::/32 any
 20 deny   ipv6 any any log
vty-pool default 0 10
line default
 access-class ingress VTY-ACL

The ssh tcp port is still open from any host though. I am not beeing able to log in from other host but the ones specified in the acl:s, but it is possible to portscan tcp 22 from anyhost.

Any suggestions? When applying ACL directly on mgmt interface the port gets blocked.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Bryan Garland Fri, 06/03/2011 - 11:04


This is not the preferred way to do this for the exact reasons you describe.  The better way to do this is via MPP, management plane protection.  This allows us to program the hardware via LPTS to drop unwanted requests in hardware instead of having to have software deal with it.




Login or Register to take actions

This Discussion

Posted May 12, 2011 at 7:14 AM
Replies:2 Avg. Rating:
Views:1566 Votes:0
Tags: asr9k, ios-xr

Related Content

Discussions Leaderboard